Re: DDoS attack

[Mike Hammett <nanog () ics-il net>]

An additional 800 Mbps would severely constrain if not topple dozens if not hundreds of ISPs I know. 




----- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

----- Original Message -----

From: "Filip Hruska" <fhr () fhrnet eu> 
To: nanog () nanog org 
Sent: Monday, December 9, 2019 2:15:39 PM 
Subject: Re: DDoS attack 

Hello, 

which attack protocol are seeing? I suspect you're seeing DNS based amplification or similar, in which case you can't 
really pinpoint the attack source... 

800Mbps is not a whole lot of traffic - does it cause any disruptions to you? If the prefixes are not in use, I would 
suggest the use of RTBH (null routing / blackholing) 

Kind Regards, 
Filip Hruska 




On 9 December 2019 9:07:35 pm GMT+01:00, "ahmed.dalaali () hrins net" <ahmed.dalaali () hrins net> wrote: 

Dear All, 

My network is being flooded with UDP packets, Denial of Service attack, soucing from Cloud flare and Google IP 
Addresses, with 200-300 mbps minimum traffic, the destination in my network are IP prefixes that is currnetly not used 
but still getting traffic with high volume. 
The traffic is being generated with high intervals between 10-30 Minutes for each time, maxing to 800 mbps 
When reached out cloudflare support, they mentioned that there services are running on Nat so they can’t pin out which 
server is attacking based on ip address alone, as a single IP has more than 5000 server behind it, providing 1 source 
IP and UDP source port, didn’t help either 
Any suggestions? 

Regards, 
Ahmed Dala Ali 



-- 
Sent from my mobile device. Please excuse my brevity.